Fix mssense.exe High CPU Usage in Windows (Microsoft Defender for Endpoint)

Posted on October 13, 2025

2 min read

1. Introduction

mssense.exe is the Microsoft Defender for Endpoint (MDE) Sense service. When it consumes excessive CPU or memory, endpoints lag, scheduled jobs slip, and server SLAs can wobble. This tutorial explains what drives the spike and provides safe, reversible fixes that preserve your protection posture.

2. Quick Triage

Restart the service: Press Win+R → services.msc → Microsoft Defender for Endpoint Service → Restart.
Run Windows Update: Install pending cumulative, platform, and Defender engine updates.
Check if a scan is running: Windows Security → Virus & threat protection → Scan options. High CPU is expected during active scans.
Reboot once: Post-update spikes often clear after a restart.

If CPU remains >30–40% for >10 minutes while idle, continue below.

3. Prerequisites

Local Administrator privileges
PowerShell (Run as Administrator)
Access to Microsoft 365 Defender portal for enterprise fleets
Endpoint connectivity to Microsoft cloud services
Optional: Sysinternals Process Explorer and Performance Monitor (perfmon.exe)

4. Step-by-Step Guide

Step 1. Verify the binary, location, and signature

Open Task Manager → Details, locate mssense.exe.

Right-click → Open file location. Legitimate path:

C:\Program Files\Windows Defender Advanced Threat Protection\

Right-click → Properties → Digital Signatures → ensure it’s signed by Microsoft Corporation.

Warning: If the file sits outside the ATP directory or lacks a valid Microsoft signature, treat as suspicious and run a full scan immediately.

Step 2. Check Sense service health

Get-Service Sense | Select-Object Name, Status
Restart-Service Sense -Force
Get-MpComputerStatus | Select AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled, NISServiceEnabled

Step 3. Refresh Defender engine, platform, and signatures

# Update definitions
MpCmdRun.exe -SignatureUpdate

# If corruption is suspected, rebuild definitions then update
MpCmdRun.exe -RemoveDefinitions -All
MpCmdRun.exe -SignatureUpdate

# Verify versions
Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion, AntivirusSignatureVersion

Step 4. Right-size scanning with temporary exclusions (for heavy I/O)

For build artifacts, backup targets, or DB data files, consider a temporary exclusion to test impact:

Add-MpPreference -ExclusionPath "C:\Program Files\YourApp"
Add-MpPreference -ExclusionPath "D:\BackupData"

Security note: Only exclude trusted, controlled paths. Remove temporary exclusions after testing.

Step 5. Rebuild the Sense (MDE) component

Stop the service:
```
sc stop sense
```

Uninstall Sense:

"%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCM.exe" -uninstall

Re-onboard using your MDE onboarding package from the Microsoft 365 Defender portal.
Reboot and validate CPU behavior.

Step 6. Correlate with Performance Monitor

Run perfmon.exe → Performance Monitor → Add → Process → % Processor Time → mssense.exe.
Optionally add Process → IO Data Bytes/sec and Network Interface → Bytes Total/sec to confirm if load is expected (active scan/telemetry) vs. anomalous.
Observe for 10–15 minutes when the system is otherwise idle.

5. Validation and Testing

Idle CPU: mssense.exe should settle <5% when the system is idle.
Health check:
```
Get-MpComputerStatus
```
Functional scan: Run a Quick scan to ensure protection remains intact.
Persistence: Reboot and confirm stable CPU.

6. Security Hardening

Tamper Protection: Windows Security → Virus & threat protection settings → Tamper Protection → On.
Attack Surface Reduction (ASR) rules: Prefer behavior blocking to reduce file I/O pressure where appropriate.
Centralized policy: Manage exclusions and settings in Microsoft 365 Defender, not locally, for consistency and auditability.
Fleet monitoring: Use device performance signals in the Defender portal to spot widespread anomalies early.

7. Conclusion

Most mssense.exe CPU spikes trace back to active scans, outdated/corrupted signatures, or edge-case workloads with heavy file churn. Updating Defender components, validating service health, and—if needed—rebuilding Sense typically resolve the issue without compromising protection.

8. FAQ

1. Is mssense.exe a virus?

No. It is the Microsoft Defender for Endpoint Sense service. Verify authenticity by checking the file is in C:\Program Files\Windows Defender Advanced Threat Protection\ and signed by Microsoft.

2. Can I disable mssense.exe to stop the CPU spike?

Disabling the Sense service removes MDE protection and is not recommended. Prefer a service restart, engine/signature updates, temporary exclusions for high-churn paths, or a clean reinstall of the Sense component.

3. Why does CPU spike after Windows or Defender updates?

After updates, Sense reinitializes engines, models, and caches and may run background integrity checks. Short-lived spikes are expected and typically subside after one reboot.

4. Do exclusions reduce protection?

Slightly, yes. Limit exclusions to trusted, controlled paths (e.g., build artifacts, backup targets) and manage them centrally via Microsoft 365 Defender. Remove temporary exclusions after testing.

5. What is a healthy idle CPU level for mssense.exe?

On modern hardware, mssense.exe should settle below ~5% CPU when the system is idle. Brief transient spikes during scans or definition updates are normal.